Cyber Deterrence: Cybersecurity’s Next Phase

Can we reduce the likelihood of digital attacks?

Cyber attackers pose many threats to a wide range of targets. Russia, for example, was accused of hacking Democratic Party computers throughout the year, interfering with the U.S. presidential election. Then there was the unknown attacker who, on a single October day, used thousands of Internet-connected devices, such as digital video recorders and cameras compromised by Mirai malware, to take down several high-profile websites, including Twitter.

Deterrence focuses on making potential adversaries think twice about attacking, forcing them to consider the costs of doing so, as well as the consequences that might come from a counterattack. There are two main principles of deterrence. The first, denial, involves convincing would-be attackers that they won’t succeed, at least without enormous effort and cost beyond what they are willing to invest. The second is punishment: Making sure the adversaries know there will be a strong response that might inflict more harm than they are willing to bear.

For decades, deterrence has effectively countered the threat of nuclear weapons. Can we achieve similar results against cyber weapons?

Cyber weapons are nothing like nuclear ones. They are readily developed and deployed by individuals and small groups as well as states. They are easily replicated and distributed across networks, rendering impossible the hope of anything that might be called “cyber nonproliferation.” Cyber weapons are often deployed under a cloak of anonymity, making it difficult to figure out who is really responsible. And cyber attacks can achieve a broad range of effects, most of which are disruptive and costly, but not catastrophic.

This does not mean cyber deterrence is doomed to failure. The sheer scale of cyber attacks demands that we do better to defend against them.

There are three things we can do to strengthen cyber deterrence: Improve cybersecurity, employ active defenses and establish international norms for cyberspace. The first two of these measures will significantly improve our cyber defenses so that even if an attack is not deterred, it will not succeed.

Stepping up protection

Cybersecurity aids deterrence primarily through the principle of denial. It stops attacks before they can achieve their goals. This includes beefing up login security, encrypting data and communications, fighting viruses and other malware, and keeping software updated to patch weaknesses when they’re found.

Cybersecurity guru Bruce Schneier aptly characterizes the prevalence of insecure Internet-of-Things devices as a market failure akin to pollution. Simply put, the market favors cheap insecure devices over ones that are more costly but secure. His solution? Regulation, either by imposing basic security standards on manufacturers or by holding them liable when their products are used in attacks.

Active Defenses

When it comes to taking action against attackers, there are many ways to monitor, identify and counter adversary cyberattacks. These active cyber defenses are similar to air defense systems that monitor the sky for hostile aircraft and shoot down incoming missiles. Network monitors that watch for and block (“shoot down”) hostile packets are one example, as are honeypots that attract or deflect adversary packets into safe areas. There, they do not harm the targeted network, and can even be studied to reveal attackers’ techniques.

Another set of active defenses involves collecting, analyzing and sharing information about potential threats so that network operators can respond to the latest developments. For example, operators could regularly scan their systems looking for devices vulnerable to or compromised by the Mirai botnet or other malware. If they found some, they could disconnect the devices from the network and alert the devices’ owners to the danger.

Active cyber defense does more than just deny attackers opportunities. It can often unmask the people behind them, leading to punishment. Nongovernment attackers can be shut down, arrested and prosecuted; countries conducting or supporting cyberwarfare can be sanctioned by the international community.

Currently, however, the private sector is reluctant to employ many active defenses because of legal uncertainties. The Center for Cyber and Homeland Security at George Washington University recommends several actions that the government and the private sector could take to enable the more widespread use of active defenses, including clarifying regulations.

Cyberspace will never be immune to attack – no more than our streets will be immune to crime. But with stronger cybersecurity, increased use of active cyber defenses, and international cyber norms, we can hope to at least keep a lid on the problem.